[openssl-dev] confusion with rsa_meth_st in a custom RSA engine

Dr. Stephen Henson steve at openssl.org
Mon Aug 28 17:32:30 UTC 2017


On Mon, Aug 28, 2017, Brett R. Nicholas wrote:

> > The rsa_mod_exp function is only called for private key operations. You can't
> > tell if it is a private encrypt or a private decrypt though but that
> > shouldn't matter because the operation performed at that level is the same for
> > both.
> 
> Ah, I see. So to clarify (pls correct me if I'm wrong):
> 
>   *   rsa_mod_exp() is the modular exponentiation function that openSSL will attempt to use for all private key operations (if RSA_FLAG_EXT_PKEY is set, or the private parameters of that method are non-null), before defaulting to bn_mod_exp().
>   *   And bn_mod_exp() is the modular exponentiation function used by all public key operations
> 
> 
> So in my case, I should set RSA_FLAG_EX_PKEY in my engine's RSA_METHOD struct, and then implement my own versions of rsa_mod_exp (for the private key encryption/decryption), and bn_mod_exp (for the public key encryption/decryption).
> 
> 

Yes. Note also that if you set the public key components (n, e) you don't need
to perform the public key operations in your ENGINE if you keep the original
bn_mod_exp(): OpenSSL will do them for you. If possible you should set the
public key components anyway: some operations such as generating certificate
requests require them to be present.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


More information about the openssl-dev mailing list